Take PIN ownership to minimze memory copy-s

metsma · metsma · commit 261c0d07eb60 · 2024-08-06T09:56:55.000+03:00
WE2-1007

Signed-off-by: Raul Metsma &lt;raul@metsma.ee&gt;
diff --git a/include/electronic-id/electronic-id.hpp b/include/electronic-id/electronic-id.hpp
@@ -65,7 +65,7 @@ class ElectronicID
 
     virtual PinRetriesRemainingAndMax authPinRetriesLeft() const = 0;
 
-    virtual pcsc_cpp::byte_vector signWithAuthKey(const byte_vector& pin,
+    virtual pcsc_cpp::byte_vector signWithAuthKey(byte_vector&& pin,
                                                   const byte_vector& hash) const = 0;
 
     // Functions related to signing.
@@ -77,7 +77,7 @@ class ElectronicID
 
     virtual PinRetriesRemainingAndMax signingPinRetriesLeft() const = 0;
 
-    virtual Signature signWithSigningKey(const byte_vector& pin, const byte_vector& hash,
+    virtual Signature signWithSigningKey(byte_vector&& pin, const byte_vector& hash,
                                          const HashAlgorithm hashAlgo) const = 0;
 
     // General functions.
diff --git a/src/electronic-ids/ms-cryptoapi/MsCryptoApiElectronicID.cpp b/src/electronic-ids/ms-cryptoapi/MsCryptoApiElectronicID.cpp
@@ -34,7 +34,7 @@ JsonWebSignatureAlgorithm MsCryptoApiElectronicID::authSignatureAlgorithm() cons
     return getAuthAlgorithmFromCert(certData);
 }
 
-byte_vector MsCryptoApiElectronicID::signWithAuthKey(const byte_vector& /* pin */,
+byte_vector MsCryptoApiElectronicID::signWithAuthKey(byte_vector&& /* pin */,
                                                      const byte_vector& hash) const
 {
     if (certType != CertificateType::AUTHENTICATION) {
@@ -56,7 +56,7 @@ const std::set<SignatureAlgorithm>& MsCryptoApiElectronicID::supportedSigningAlg
 }
 
 ElectronicID::Signature
-MsCryptoApiElectronicID::signWithSigningKey(const byte_vector& /* pin */, const byte_vector& hash,
+MsCryptoApiElectronicID::signWithSigningKey(byte_vector&& /* pin */, const byte_vector& hash,
                                             const HashAlgorithm hashAlgo) const
 {
     if (certType != CertificateType::SIGNING) {
diff --git a/src/electronic-ids/ms-cryptoapi/MsCryptoApiElectronicID.hpp b/src/electronic-ids/ms-cryptoapi/MsCryptoApiElectronicID.hpp
@@ -84,7 +84,7 @@ class MsCryptoApiElectronicID : public ElectronicID
         return {uint8_t(PIN_RETRY_COUNT_PLACEHOLDER), PIN_RETRY_COUNT_PLACEHOLDER};
     }
 
-    byte_vector signWithAuthKey(const byte_vector& pin, const byte_vector& hash) const override;
+    byte_vector signWithAuthKey(byte_vector&& pin, const byte_vector& hash) const override;
 
     const std::set<SignatureAlgorithm>& supportedSigningAlgorithms() const override;
 
@@ -98,7 +98,7 @@ class MsCryptoApiElectronicID : public ElectronicID
         return {uint8_t(PIN_RETRY_COUNT_PLACEHOLDER), PIN_RETRY_COUNT_PLACEHOLDER};
     }
 
-    Signature signWithSigningKey(const byte_vector& pin, const byte_vector& hash,
+    Signature signWithSigningKey(byte_vector&& pin, const byte_vector& hash,
                                  const HashAlgorithm hashAlgo) const override;
 
     std::string name() const override
diff --git a/src/electronic-ids/pcsc/EIDIDEMIA.cpp b/src/electronic-ids/pcsc/EIDIDEMIA.cpp
@@ -46,15 +46,15 @@ byte_vector EIDIDEMIA::getCertificateImpl(const CertificateType type) const
                                                                  : selectCertificate().SIGN_CERT);
 }
 
-byte_vector EIDIDEMIA::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const
+byte_vector EIDIDEMIA::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
 {
     // Select authentication application and authentication security environment.
     transmitApduWithExpectedResponse(*card, selectApplicationID().MAIN_AID);
     transmitApduWithExpectedResponse(*card, selectApplicationID().AUTH_AID);
     selectAuthSecurityEnv();
 
-    verifyPin(*card, AUTH_PIN_REFERENCE, pin, authPinMinMaxLength().first, pinBlockLength(),
-              PIN_PADDING_CHAR);
+    verifyPin(*card, AUTH_PIN_REFERENCE, std::move(pin), authPinMinMaxLength().first,
+              pinBlockLength(), PIN_PADDING_CHAR);
 
     return internalAuthenticate(*card,
                                 authSignatureAlgorithm().isRSAWithPKCS1Padding()
@@ -69,7 +69,7 @@ ElectronicID::PinRetriesRemainingAndMax EIDIDEMIA::authPinRetriesLeftImpl() cons
     return pinRetriesLeft(AUTH_PIN_REFERENCE);
 }
 
-ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(const byte_vector& pin,
+ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(byte_vector&& pin,
                                                           const byte_vector& hash,
                                                           const HashAlgorithm hashAlgo) const
 {
@@ -88,8 +88,8 @@ ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(const byte_vector& pin
         }
     }
 
-    verifyPin(*card, signingPinReference(), pin, signingPinMinMaxLength().first, pinBlockLength(),
-              PIN_PADDING_CHAR);
+    verifyPin(*card, signingPinReference(), std::move(pin), signingPinMinMaxLength().first,
+              pinBlockLength(), PIN_PADDING_CHAR);
 
     return {useInternalAuthenticateAndRSAWithPKCS1PaddingDuringSigning()
                 ? internalAuthenticate(*card, addRSAOID(hashAlgo, hash), name())
diff --git a/src/electronic-ids/pcsc/EIDIDEMIA.hpp b/src/electronic-ids/pcsc/EIDIDEMIA.hpp
@@ -49,10 +49,10 @@ class EIDIDEMIA : public PcscElectronicID
     byte_vector getCertificateImpl(const CertificateType type) const override;
 
     PinRetriesRemainingAndMax authPinRetriesLeftImpl() const override;
-    byte_vector signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const override;
+    byte_vector signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const override;
 
     PinRetriesRemainingAndMax signingPinRetriesLeftImpl() const override;
-    Signature signWithSigningKeyImpl(const byte_vector& pin, const byte_vector& hash,
+    Signature signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                      const HashAlgorithm hashAlgo) const override;
 
     virtual const SelectApplicationIDCmds& selectApplicationID() const;
diff --git a/src/electronic-ids/pcsc/FinEID.cpp b/src/electronic-ids/pcsc/FinEID.cpp
@@ -75,9 +75,9 @@ byte_vector FinEIDv3::getCertificateImpl(const CertificateType type) const
         *card, type.isAuthentication() ? SELECT_AUTH_CERT_FILE : SELECT_SIGN_CERT_FILE_V3);
 }
 
-byte_vector FinEIDv3::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const
+byte_vector FinEIDv3::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
 {
-    return sign(authSignatureAlgorithm().hashAlgorithm(), hash, pin, AUTH_PIN_REFERENCE,
+    return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,
                 authPinMinMaxLength(), AUTH_KEY_REFERENCE, RSA_PSS_ALGO, 0x00);
 }
 
@@ -91,11 +91,10 @@ const std::set<SignatureAlgorithm>& FinEIDv3::supportedSigningAlgorithms() const
     return ELLIPTIC_CURVE_SIGNATURE_ALGOS();
 }
 
-ElectronicID::Signature FinEIDv3::signWithSigningKeyImpl(const byte_vector& pin,
-                                                         const byte_vector& hash,
+ElectronicID::Signature FinEIDv3::signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                                          const HashAlgorithm hashAlgo) const
 {
-    return {sign(hashAlgo, hash, pin, SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
+    return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
                  SIGNING_KEY_REFERENCE_V3, ECDSA_ALGO, 0x40),
             {SignatureAlgorithm::ES, hashAlgo}};
 }
@@ -105,10 +104,9 @@ ElectronicID::PinRetriesRemainingAndMax FinEIDv3::signingPinRetriesLeftImpl() co
     return pinRetriesLeft(SIGNING_PIN_REFERENCE);
 }
 
-byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash,
-                           const byte_vector& pin, byte_type pinReference,
-                           PinMinMaxLength pinMinMaxLength, byte_type keyReference,
-                           byte_type signatureAlgo, byte_type LE) const
+byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash, byte_vector&& pin,
+                           byte_type pinReference, PinMinMaxLength pinMinMaxLength,
+                           byte_type keyReference, byte_type signatureAlgo, byte_type LE) const
 {
     if (signatureAlgo != ECDSA_ALGO && hashAlgo.isSHA3()) {
         THROW(ArgumentFatalError, "No OID for algorithm " + std::string(hashAlgo));
@@ -137,7 +135,7 @@ byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash
 
     transmitApduWithExpectedResponse(*card, SELECT_MASTER_FILE);
 
-    verifyPin(*card, pinReference, pin, pinMinMaxLength.first, pinMinMaxLength.second,
+    verifyPin(*card, pinReference, std::move(pin), pinMinMaxLength.first, pinMinMaxLength.second,
               PIN_PADDING_CHAR);
     // Select security environment for COMPUTE SIGNATURE.
     selectSecurityEnv(*card, 0xB6, signatureAlgo, keyReference, name());
@@ -198,17 +196,16 @@ byte_vector FinEIDv4::getCertificateImpl(const CertificateType type) const
         *card, type.isAuthentication() ? SELECT_AUTH_CERT_FILE : SELECT_SIGN_CERT_FILE_V4);
 }
 
-byte_vector FinEIDv4::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const
+byte_vector FinEIDv4::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
 {
-    return sign(authSignatureAlgorithm().hashAlgorithm(), hash, pin, AUTH_PIN_REFERENCE,
+    return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,
                 authPinMinMaxLength(), AUTH_KEY_REFERENCE, ECDSA_ALGO, 0x60);
 }
 
-ElectronicID::Signature FinEIDv4::signWithSigningKeyImpl(const byte_vector& pin,
-                                                         const byte_vector& hash,
+ElectronicID::Signature FinEIDv4::signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                                          const HashAlgorithm hashAlgo) const
 {
-    return {sign(hashAlgo, hash, pin, SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
+    return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
                  SIGNING_KEY_REFERENCE_V4, ECDSA_ALGO, 0x60),
             {SignatureAlgorithm::ES, hashAlgo}};
 }
diff --git a/src/electronic-ids/pcsc/FinEID.hpp b/src/electronic-ids/pcsc/FinEID.hpp
@@ -49,12 +49,12 @@ class FinEIDv3 : public PcscElectronicID
     std::string name() const override { return "FinEID v3"; }
     Type type() const override { return FinEID; }
 
-    byte_vector signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const override;
+    byte_vector signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const override;
 
-    Signature signWithSigningKeyImpl(const byte_vector& pin, const byte_vector& hash,
+    Signature signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                      const HashAlgorithm hashAlgo) const override;
 
-    byte_vector sign(const HashAlgorithm hashAlgo, const byte_vector& hash, const byte_vector& pin,
+    byte_vector sign(const HashAlgorithm hashAlgo, const byte_vector& hash, byte_vector&& pin,
                      byte_type pinReference, PinMinMaxLength pinMinMaxLength,
                      byte_type keyReference, byte_type signatureAlgo, byte_type LE) const;
 
@@ -76,9 +76,9 @@ class FinEIDv4 : public FinEIDv3
 
     std::string name() const override { return "FinEID v4"; }
 
-    byte_vector signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const override;
+    byte_vector signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const override;
 
-    Signature signWithSigningKeyImpl(const byte_vector& pin, const byte_vector& hash,
+    Signature signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                      const HashAlgorithm hashAlgo) const override;
 };
 
diff --git a/src/electronic-ids/pcsc/PcscElectronicID.hpp b/src/electronic-ids/pcsc/PcscElectronicID.hpp
@@ -35,29 +35,27 @@ class PcscElectronicID : public ElectronicID
     PcscElectronicID(pcsc_cpp::SmartCard::ptr _card) : ElectronicID(std::move(_card)) {}
 
 protected:
-    pcsc_cpp::byte_vector getCertificate(const CertificateType type) const override
+    byte_vector getCertificate(const CertificateType type) const override
     {
         auto transactionGuard = card->beginTransaction();
         return getCertificateImpl(type);
     }
 
-    pcsc_cpp::byte_vector signWithAuthKey(const pcsc_cpp::byte_vector& pin,
-                                          const pcsc_cpp::byte_vector& hash) const override
+    byte_vector signWithAuthKey(byte_vector&& pin, const byte_vector& hash) const override
     {
         validateAuthHashLength(authSignatureAlgorithm(), name(), hash);
 
         auto transactionGuard = card->beginTransaction();
-        return signWithAuthKeyImpl(pin, hash);
+        return signWithAuthKeyImpl(std::move(pin), hash);
     }
 
-    Signature signWithSigningKey(const pcsc_cpp::byte_vector& pin,
-                                 const pcsc_cpp::byte_vector& hash,
+    Signature signWithSigningKey(byte_vector&& pin, const byte_vector& hash,
                                  const HashAlgorithm hashAlgo) const override
     {
         validateSigningHash(*this, hashAlgo, hash);
 
         auto transactionGuard = card->beginTransaction();
-        return signWithSigningKeyImpl(pin, hash, hashAlgo);
+        return signWithSigningKeyImpl(std::move(pin), hash, hashAlgo);
     }
 
     PinRetriesRemainingAndMax signingPinRetriesLeft() const override
@@ -77,15 +75,13 @@ class PcscElectronicID : public ElectronicID
     // they have to be implemented when adding a new electronic ID.
     // This design follows the non-virtual interface pattern.
 
-    virtual pcsc_cpp::byte_vector getCertificateImpl(const CertificateType type) const = 0;
+    virtual byte_vector getCertificateImpl(const CertificateType type) const = 0;
 
-    virtual pcsc_cpp::byte_vector signWithAuthKeyImpl(const pcsc_cpp::byte_vector& pin,
-                                                      const pcsc_cpp::byte_vector& hash) const = 0;
+    virtual byte_vector signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const = 0;
 
     virtual PinRetriesRemainingAndMax authPinRetriesLeftImpl() const = 0;
 
-    virtual Signature signWithSigningKeyImpl(const pcsc_cpp::byte_vector& pin,
-                                             const pcsc_cpp::byte_vector& hash,
+    virtual Signature signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                              const HashAlgorithm hashAlgo) const = 0;
 
     virtual PinRetriesRemainingAndMax signingPinRetriesLeftImpl() const = 0;
diff --git a/src/electronic-ids/pcsc/pcsc-common.hpp b/src/electronic-ids/pcsc/pcsc-common.hpp
@@ -43,16 +43,15 @@ inline pcsc_cpp::byte_vector getCertificate(pcsc_cpp::SmartCard& card,
     return readBinary(card, length, MAX_LE_VALUE);
 }
 
-inline pcsc_cpp::byte_vector addPaddingToPin(const pcsc_cpp::byte_vector& pin, size_t paddingLength,
+inline pcsc_cpp::byte_vector addPaddingToPin(pcsc_cpp::byte_vector&& pin, size_t paddingLength,
                                              pcsc_cpp::byte_type paddingChar)
 {
-    auto paddedPin = pin;
-    paddedPin.resize(std::max(pin.size(), paddingLength), paddingChar);
-    return paddedPin;
+    pin.resize(std::max(pin.size(), paddingLength), paddingChar);
+    return pin;
 }
 
 inline void verifyPin(pcsc_cpp::SmartCard& card, pcsc_cpp::byte_type p2,
-                      const pcsc_cpp::byte_vector& pin, uint8_t pinMinLength, size_t paddingLength,
+                      pcsc_cpp::byte_vector&& pin, uint8_t pinMinLength, size_t paddingLength,
                       pcsc_cpp::byte_type paddingChar)
 {
     const pcsc_cpp::CommandApdu VERIFY_PIN {0x00, 0x20, 0x00, p2};
@@ -64,8 +63,8 @@ inline void verifyPin(pcsc_cpp::SmartCard& card, pcsc_cpp::byte_type p2,
         response = card.transmitCTL(verifyPin, 0, pinMinLength);
 
     } else {
-        const pcsc_cpp::CommandApdu verifyPin {VERIFY_PIN,
-                                               addPaddingToPin(pin, paddingLength, paddingChar)};
+        const pcsc_cpp::CommandApdu verifyPin {
+            VERIFY_PIN, addPaddingToPin(std::move(pin), paddingLength, paddingChar)};
 
         response = card.transmit(verifyPin);
     }
diff --git a/src/electronic-ids/pkcs11/Pkcs11ElectronicID.cpp b/src/electronic-ids/pkcs11/Pkcs11ElectronicID.cpp
@@ -214,7 +214,7 @@ ElectronicID::PinRetriesRemainingAndMax Pkcs11ElectronicID::authPinRetriesLeft()
     return {authToken.retry, module.retryMax};
 }
 
-pcsc_cpp::byte_vector Pkcs11ElectronicID::signWithAuthKey(const byte_vector& pin,
+pcsc_cpp::byte_vector Pkcs11ElectronicID::signWithAuthKey(byte_vector&& pin,
                                                           const byte_vector& hash) const
 {
     REQUIRE_NON_NULL(manager)
@@ -254,7 +254,7 @@ ElectronicID::PinRetriesRemainingAndMax Pkcs11ElectronicID::signingPinRetriesLef
     return {signingToken.retry, module.retryMax};
 }
 
-ElectronicID::Signature Pkcs11ElectronicID::signWithSigningKey(const byte_vector& pin,
+ElectronicID::Signature Pkcs11ElectronicID::signWithSigningKey(byte_vector&& pin,
                                                                const byte_vector& hash,
                                                                const HashAlgorithm hashAlgo) const
 {
diff --git a/src/electronic-ids/pkcs11/Pkcs11ElectronicID.hpp b/src/electronic-ids/pkcs11/Pkcs11ElectronicID.hpp
@@ -59,13 +59,13 @@ class Pkcs11ElectronicID : public ElectronicID
     PinMinMaxLength authPinMinMaxLength() const override;
 
     PinRetriesRemainingAndMax authPinRetriesLeft() const override;
-    byte_vector signWithAuthKey(const byte_vector& pin, const byte_vector& hash) const override;
+    byte_vector signWithAuthKey(byte_vector&& pin, const byte_vector& hash) const override;
 
     const std::set<SignatureAlgorithm>& supportedSigningAlgorithms() const override;
     PinMinMaxLength signingPinMinMaxLength() const override;
 
     PinRetriesRemainingAndMax signingPinRetriesLeft() const override;
-    Signature signWithSigningKey(const byte_vector& pin, const byte_vector& hash,
+    Signature signWithSigningKey(byte_vector&& pin, const byte_vector& hash,
                                  const HashAlgorithm hashAlgo) const override;
 
     void release() const override;
diff --git a/tests/integration/test-authenticate.cpp b/tests/integration/test-authenticate.cpp
@@ -57,15 +57,15 @@ TEST(electronic_id_test, authenticate)
 
     GTEST_ASSERT_GE(cardInfo->eid().authPinRetriesLeft().first, 0U);
 
-    const byte_vector pin {'1', '2', '3', '4'};
+    byte_vector pin {'1', '2', '3', '4'};
 
     std::cout << "WARNING! Using hard-coded PIN "
-              << std::string(reinterpret_cast<const char*>(pin.data()), pin.size()) << '\n';
+              << std::string_view(reinterpret_cast<const char*>(pin.data()), pin.size()) << '\n';
 
     const byte_vector dataToSign {'H', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd', '!'};
     const JsonWebSignatureAlgorithm hashAlgo = cardInfo->eid().authSignatureAlgorithm();
     const byte_vector hash = calculateDigest(hashAlgo.hashAlgorithm(), dataToSign);
-    auto signature = cardInfo->eid().signWithAuthKey(pin, hash);
+    auto signature = cardInfo->eid().signWithAuthKey(std::move(pin), hash);
 
     std::cout << "Authentication signature: " << signature << '\n';
 
diff --git a/tests/integration/test-signing.cpp b/tests/integration/test-signing.cpp
@@ -65,7 +65,7 @@ static void signing(HashAlgorithm hashAlgo)
     const byte_vector dataToSign {'H', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd', '!'};
     const byte_vector hash = calculateDigest(hashAlgo, dataToSign);
 
-    auto signature = cardInfo->eid().signWithSigningKey(pin, hash, hashAlgo);
+    auto signature = cardInfo->eid().signWithSigningKey(std::move(pin), hash, hashAlgo);
 
     std::cout << "Signing signature: " << signature.first << '\n';
 
diff --git a/tests/mock/test-get-certificate.cpp b/tests/mock/test-get-certificate.cpp

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ JsonWebSignatureAlgorithm MsCryptoApiElectronicID::authSignatureAlgorithm() cons`
`34`	`34`	`return getAuthAlgorithmFromCert(certData);`
`35`	`35`	`}`
`36`	`36`
`37`		`-byte_vector MsCryptoApiElectronicID::signWithAuthKey(const byte_vector& /* pin */,`
	`37`	`+byte_vector MsCryptoApiElectronicID::signWithAuthKey(byte_vector&& /* pin */,`
`38`	`38`	`const byte_vector& hash) const`
`39`	`39`	`{`
`40`	`40`	`if (certType != CertificateType::AUTHENTICATION) {`
`@@ -56,7 +56,7 @@ const std::set<SignatureAlgorithm>& MsCryptoApiElectronicID::supportedSigningAlg`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`ElectronicID::Signature`
`59`		`-MsCryptoApiElectronicID::signWithSigningKey(const byte_vector& /* pin */, const byte_vector& hash,`
	`59`	`+MsCryptoApiElectronicID::signWithSigningKey(byte_vector&& /* pin */, const byte_vector& hash,`
`60`	`60`	`const HashAlgorithm hashAlgo) const`
`61`	`61`	`{`
`62`	`62`	`if (certType != CertificateType::SIGNING) {`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ class MsCryptoApiElectronicID : public ElectronicID`
`84`	`84`	`return {uint8_t(PIN_RETRY_COUNT_PLACEHOLDER), PIN_RETRY_COUNT_PLACEHOLDER};`
`85`	`85`	`}`
`86`	`86`
`87`		`- byte_vector signWithAuthKey(const byte_vector& pin, const byte_vector& hash) const override;`
	`87`	`+ byte_vector signWithAuthKey(byte_vector&& pin, const byte_vector& hash) const override;`
`88`	`88`
`89`	`89`	`const std::set<SignatureAlgorithm>& supportedSigningAlgorithms() const override;`
`90`	`90`
`@@ -98,7 +98,7 @@ class MsCryptoApiElectronicID : public ElectronicID`
`98`	`98`	`return {uint8_t(PIN_RETRY_COUNT_PLACEHOLDER), PIN_RETRY_COUNT_PLACEHOLDER};`
`99`	`99`	`}`
`100`	`100`
`101`		`- Signature signWithSigningKey(const byte_vector& pin, const byte_vector& hash,`
	`101`	`+ Signature signWithSigningKey(byte_vector&& pin, const byte_vector& hash,`
`102`	`102`	`const HashAlgorithm hashAlgo) const override;`
`103`	`103`
`104`	`104`	`std::string name() const override`
Original file line number	Diff line number	Diff line change
`@@ -46,15 +46,15 @@ byte_vector EIDIDEMIA::getCertificateImpl(const CertificateType type) const`
`46`	`46`	`: selectCertificate().SIGN_CERT);`
`47`	`47`	`}`
`48`	`48`
`49`		`-byte_vector EIDIDEMIA::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const`
	`49`	`+byte_vector EIDIDEMIA::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const`
`50`	`50`	`{`
`51`	`51`	`// Select authentication application and authentication security environment.`
`52`	`52`	`transmitApduWithExpectedResponse(*card, selectApplicationID().MAIN_AID);`
`53`	`53`	`transmitApduWithExpectedResponse(*card, selectApplicationID().AUTH_AID);`
`54`	`54`	`selectAuthSecurityEnv();`
`55`	`55`
`56`		`- verifyPin(*card, AUTH_PIN_REFERENCE, pin, authPinMinMaxLength().first, pinBlockLength(),`
`57`		`- PIN_PADDING_CHAR);`
	`56`	`+ verifyPin(*card, AUTH_PIN_REFERENCE, std::move(pin), authPinMinMaxLength().first,`
	`57`	`+ pinBlockLength(), PIN_PADDING_CHAR);`
`58`	`58`
`59`	`59`	`return internalAuthenticate(*card,`
`60`	`60`	`authSignatureAlgorithm().isRSAWithPKCS1Padding()`
`@@ -69,7 +69,7 @@ ElectronicID::PinRetriesRemainingAndMax EIDIDEMIA::authPinRetriesLeftImpl() cons`
`69`	`69`	`return pinRetriesLeft(AUTH_PIN_REFERENCE);`
`70`	`70`	`}`
`71`	`71`
`72`		`-ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(const byte_vector& pin,`
	`72`	`+ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(byte_vector&& pin,`
`73`	`73`	`const byte_vector& hash,`
`74`	`74`	`const HashAlgorithm hashAlgo) const`
`75`	`75`	`{`
`@@ -88,8 +88,8 @@ ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(const byte_vector& pin`
`88`	`88`	`}`
`89`	`89`	`}`
`90`	`90`
`91`		`- verifyPin(*card, signingPinReference(), pin, signingPinMinMaxLength().first, pinBlockLength(),`
`92`		`- PIN_PADDING_CHAR);`
	`91`	`+ verifyPin(*card, signingPinReference(), std::move(pin), signingPinMinMaxLength().first,`
	`92`	`+ pinBlockLength(), PIN_PADDING_CHAR);`
`93`	`93`
`94`	`94`	`return {useInternalAuthenticateAndRSAWithPKCS1PaddingDuringSigning()`
`95`	`95`	`? internalAuthenticate(*card, addRSAOID(hashAlgo, hash), name())`
Original file line number	Diff line number	Diff line change
`@@ -75,9 +75,9 @@ byte_vector FinEIDv3::getCertificateImpl(const CertificateType type) const`
`75`	`75`	`*card, type.isAuthentication() ? SELECT_AUTH_CERT_FILE : SELECT_SIGN_CERT_FILE_V3);`
`76`	`76`	`}`
`77`	`77`
`78`		`-byte_vector FinEIDv3::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const`
	`78`	`+byte_vector FinEIDv3::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const`
`79`	`79`	`{`
`80`		`- return sign(authSignatureAlgorithm().hashAlgorithm(), hash, pin, AUTH_PIN_REFERENCE,`
	`80`	`+ return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,`
`81`	`81`	`authPinMinMaxLength(), AUTH_KEY_REFERENCE, RSA_PSS_ALGO, 0x00);`
`82`	`82`	`}`
`83`	`83`
`@@ -91,11 +91,10 @@ const std::set<SignatureAlgorithm>& FinEIDv3::supportedSigningAlgorithms() const`
`91`	`91`	`return ELLIPTIC_CURVE_SIGNATURE_ALGOS();`
`92`	`92`	`}`
`93`	`93`
`94`		`-ElectronicID::Signature FinEIDv3::signWithSigningKeyImpl(const byte_vector& pin,`
`95`		`- const byte_vector& hash,`
	`94`	`+ElectronicID::Signature FinEIDv3::signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,`
`96`	`95`	`const HashAlgorithm hashAlgo) const`
`97`	`96`	`{`
`98`		`- return {sign(hashAlgo, hash, pin, SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),`
	`97`	`+ return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),`
`99`	`98`	`SIGNING_KEY_REFERENCE_V3, ECDSA_ALGO, 0x40),`
`100`	`99`	`{SignatureAlgorithm::ES, hashAlgo}};`
`101`	`100`	`}`
`@@ -105,10 +104,9 @@ ElectronicID::PinRetriesRemainingAndMax FinEIDv3::signingPinRetriesLeftImpl() co`
`105`	`104`	`return pinRetriesLeft(SIGNING_PIN_REFERENCE);`
`106`	`105`	`}`
`107`	`106`
`108`		`-byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash,`
`109`		`- const byte_vector& pin, byte_type pinReference,`
`110`		`- PinMinMaxLength pinMinMaxLength, byte_type keyReference,`
`111`		`- byte_type signatureAlgo, byte_type LE) const`
	`107`	`+byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash, byte_vector&& pin,`
	`108`	`+ byte_type pinReference, PinMinMaxLength pinMinMaxLength,`
	`109`	`+ byte_type keyReference, byte_type signatureAlgo, byte_type LE) const`
`112`	`110`	`{`
`113`	`111`	`if (signatureAlgo != ECDSA_ALGO && hashAlgo.isSHA3()) {`
`114`	`112`	`THROW(ArgumentFatalError, "No OID for algorithm " + std::string(hashAlgo));`
`@@ -137,7 +135,7 @@ byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash`
`137`	`135`
`138`	`136`	`transmitApduWithExpectedResponse(*card, SELECT_MASTER_FILE);`
`139`	`137`
`140`		`- verifyPin(*card, pinReference, pin, pinMinMaxLength.first, pinMinMaxLength.second,`
	`138`	`+ verifyPin(*card, pinReference, std::move(pin), pinMinMaxLength.first, pinMinMaxLength.second,`
`141`	`139`	`PIN_PADDING_CHAR);`
`142`	`140`	`// Select security environment for COMPUTE SIGNATURE.`
`143`	`141`	`selectSecurityEnv(*card, 0xB6, signatureAlgo, keyReference, name());`
`@@ -198,17 +196,16 @@ byte_vector FinEIDv4::getCertificateImpl(const CertificateType type) const`
`198`	`196`	`*card, type.isAuthentication() ? SELECT_AUTH_CERT_FILE : SELECT_SIGN_CERT_FILE_V4);`
`199`	`197`	`}`
`200`	`198`
`201`		`-byte_vector FinEIDv4::signWithAuthKeyImpl(const byte_vector& pin, const byte_vector& hash) const`
	`199`	`+byte_vector FinEIDv4::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const`
`202`	`200`	`{`
`203`		`- return sign(authSignatureAlgorithm().hashAlgorithm(), hash, pin, AUTH_PIN_REFERENCE,`
	`201`	`+ return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,`
`204`	`202`	`authPinMinMaxLength(), AUTH_KEY_REFERENCE, ECDSA_ALGO, 0x60);`
`205`	`203`	`}`
`206`	`204`
`207`		`-ElectronicID::Signature FinEIDv4::signWithSigningKeyImpl(const byte_vector& pin,`
`208`		`- const byte_vector& hash,`
	`205`	`+ElectronicID::Signature FinEIDv4::signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,`
`209`	`206`	`const HashAlgorithm hashAlgo) const`
`210`	`207`	`{`
`211`		`- return {sign(hashAlgo, hash, pin, SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),`
	`208`	`+ return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),`
`212`	`209`	`SIGNING_KEY_REFERENCE_V4, ECDSA_ALGO, 0x60),`
`213`	`210`	`{SignatureAlgorithm::ES, hashAlgo}};`
`214`	`211`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,16 +43,15 @@ inline pcsc_cpp::byte_vector getCertificate(pcsc_cpp::SmartCard& card,`
`43`	`43`	`return readBinary(card, length, MAX_LE_VALUE);`
`44`	`44`	`}`
`45`	`45`
`46`		`-inline pcsc_cpp::byte_vector addPaddingToPin(const pcsc_cpp::byte_vector& pin, size_t paddingLength,`
	`46`	`+inline pcsc_cpp::byte_vector addPaddingToPin(pcsc_cpp::byte_vector&& pin, size_t paddingLength,`
`47`	`47`	`pcsc_cpp::byte_type paddingChar)`
`48`	`48`	`{`
`49`		`- auto paddedPin = pin;`
`50`		`- paddedPin.resize(std::max(pin.size(), paddingLength), paddingChar);`
`51`		`- return paddedPin;`
	`49`	`+ pin.resize(std::max(pin.size(), paddingLength), paddingChar);`
	`50`	`+ return pin;`
`52`	`51`	`}`
`53`	`52`
`54`	`53`	`inline void verifyPin(pcsc_cpp::SmartCard& card, pcsc_cpp::byte_type p2,`
`55`		`- const pcsc_cpp::byte_vector& pin, uint8_t pinMinLength, size_t paddingLength,`
	`54`	`+ pcsc_cpp::byte_vector&& pin, uint8_t pinMinLength, size_t paddingLength,`
`56`	`55`	`pcsc_cpp::byte_type paddingChar)`
`57`	`56`	`{`
`58`	`57`	`const pcsc_cpp::CommandApdu VERIFY_PIN {0x00, 0x20, 0x00, p2};`
`@@ -64,8 +63,8 @@ inline void verifyPin(pcsc_cpp::SmartCard& card, pcsc_cpp::byte_type p2,`
`64`	`63`	`response = card.transmitCTL(verifyPin, 0, pinMinLength);`
`65`	`64`
`66`	`65`	`} else {`
`67`		`- const pcsc_cpp::CommandApdu verifyPin {VERIFY_PIN,`
`68`		`- addPaddingToPin(pin, paddingLength, paddingChar)};`
	`66`	`+ const pcsc_cpp::CommandApdu verifyPin {`
	`67`	`+ VERIFY_PIN, addPaddingToPin(std::move(pin), paddingLength, paddingChar)};`
`69`	`68`
`70`	`69`	`response = card.transmit(verifyPin);`
`71`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ ElectronicID::PinRetriesRemainingAndMax Pkcs11ElectronicID::authPinRetriesLeft()`
`214`	`214`	`return {authToken.retry, module.retryMax};`
`215`	`215`	`}`
`216`	`216`
`217`		`-pcsc_cpp::byte_vector Pkcs11ElectronicID::signWithAuthKey(const byte_vector& pin,`
	`217`	`+pcsc_cpp::byte_vector Pkcs11ElectronicID::signWithAuthKey(byte_vector&& pin,`
`218`	`218`	`const byte_vector& hash) const`
`219`	`219`	`{`
`220`	`220`	`REQUIRE_NON_NULL(manager)`
`@@ -254,7 +254,7 @@ ElectronicID::PinRetriesRemainingAndMax Pkcs11ElectronicID::signingPinRetriesLef`
`254`	`254`	`return {signingToken.retry, module.retryMax};`
`255`	`255`	`}`
`256`	`256`
`257`		`-ElectronicID::Signature Pkcs11ElectronicID::signWithSigningKey(const byte_vector& pin,`
	`257`	`+ElectronicID::Signature Pkcs11ElectronicID::signWithSigningKey(byte_vector&& pin,`
`258`	`258`	`const byte_vector& hash,`
`259`	`259`	`const HashAlgorithm hashAlgo) const`
`260`	`260`	`{`